Subscribe to our Threatpost Today newsletter

Join thousands of people who receive the latest breaking cybersecurity news every day.

The administrator of your personal data will be Threatpost, Inc., 500 Unicorn Park, Woburn, MA 01801. Detailed information on the processing of personal data can be found in the privacy policy. In addition, you will find them in the message confirming the subscription to the newsletter.

*

*

I agree to my personal data being stored and used to receive the newsletter

*

I agree to accept information and occasional commercial offers from Threatpost partners

The administrator of your personal data will be Threatpost, Inc., 500 Unicorn Park, Woburn, MA 01801. Detailed information on the processing of personal data can be found in the privacy policy. In addition, you will find them in the message confirming the subscription to the newsletter.

Critical Moodle Vulnerability Could Lead to Server Compromise

A critical vulnerability in Moodle, an open source system deployed across hundreds of thousands of universities, could expose the server to compromise.

A critical vulnerability in Moodle, an open source PHP-based learning management system deployed across scores of schools and universities, could expose the server its running on to compromise.

Tens of thousands of universities worldwide, including the California State University system, the University of Oxford, and Stanford University, use the service to provide students with course outlines, grades, and other personal data.

The issue–at its root a SQL injection vulnerability–could be used by an attacker to execute PHP code on a university’s server according to Netanel Rubin, the researcher who found the bug.

Until patched, Rubin warns the vulnerability will continue to affect “almost all Moodle versions,” including 3.2 to 3.2.1, 3.1 to 3.1.4, 3.0 to 3.0.8, 2.7.0 to 2.7.18 and other unsupported versions.

According to Rubin the vulnerability stems from a handful of small, logical vulnerabilities.

Moodle is a project with lots of code–two million lines, according to Rubin. Because of that and the fact that many developers oversee it, the system was designed with the assumption that one feature, user preferences, couldn’t be taken advantage of.

Rubin discovered that he could exploit the feature however and get an unserialize call by leaving a preference in a block mechanism empty. That could open the door to an object injection attack.

While the attack had its limitations, Rubin discovered a way to pivot from it to a series of method calls. From there, he found he could use the system’s “update” method to update any row in an affected database. This gave him the ability to tweak administrator accounts, passwords, the site configuration, “basically whatever we want,” he wrote.

Rubin used a double SQL injection to top off his exploit, helping him gain full administrator privileges on any server running Moodle.

“After gaining full administrator privileges executing code is as simple as uploading a new plugin or template to the server,” Rubin writes.

Authors

Threatpost

InfoSec Insider Post

InfoSec Insider content is written by a trusted community of Threatpost cybersecurity subject matter experts. Each contribution has a goal of bringing a unique voice to important cybersecurity topics. Content strives to be of the highest quality, objective and non-commercial.

Sponsored

Sponsored Post

Sponsored Content is paid for by an advertiser. Sponsored content is written and edited by members of our sponsor community. This content creates an opportunity for a sponsor to provide insight and commentary from their point-of-view directly to the Threatpost audience. The Threatpost editorial team does not participate in the writing or editing of Sponsored Content.